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Abstract 

Ramp secret sharing (SS) schemes can be classified into strong ramp SS schemes and weak 
ramp SS schemes. The strong ramp SS schemes do not leak out any part of a secret explicitly 
even in the case where some information about the secret leaks from a non-qualified set of 
shares, and hence, they are more desirable than weak ramp SS schemes. However, it is not 
known how to construct the strong ramp SS schemes in the case of general access structures. 
In this paper, it is shown that a strong ramp SS scheme can always be constructed from a 
SS scheme with plural secrets for any feasible general access structure. As a byproduct, it 
is pointed out that threshold ramp SS schemes based on Shamir's polynomial interpolation 
method are not always strong. 

1 Introduction 

A secret sharing (SS) scheme [1, 13] is a method to encode a secret S into n shares each of which 
has no information of S, but S can be decrypted by collecting several shares. For example, a 
(fc, n)-threshold SS scheme means that any k out of n shares can decrypt secret S although any 
k — 1 or less shares do not leak out any information of S. The {k, n)-threshold access structure 
can be generalized to so-called general access structures which consist of the families of qualified 
sets and forbidden sets. A qualified set is the subset of shares that can decrypt the secret, but 
any information does not leak out from any forbidden set. Generally, the efficiency of SS schemes 
is evaluated by the entropy of each share, and it must hold that H{Vi) > H{S) where H{S) 
and H{Vi) are the entropies of secret S and shares Vi, i = 1,2, . . . ,n, respectively [5, 9]. 

In order to improve the efficiency of SS schemes, ramp SS schemes are proposed, which have 
a trade-off between security and coding efficiency [2, 10-12, 14]. For instance, in the {k,L,n)- 
threshold ramp SS scheme [2,14], we can decrypt S from arbitrary k or more shares, but no 
information of S can be obtained from any k — L oi less shares. Furthermore, we assume that 
arbitrary k — i shares leak out about S with equivocation (i/L)H(S) for ^ = I,2,...,L. In the 
case where L = 1, the {k, L, n)-threshold SS scheme reduces to the ordinal (k, n)-threshold ramp 
SS scheme. Hence, to distinguish ordinal SS schemes with ramp SS schemes, we call ordinal 
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SS schemes perfect SS schemes. For any (k, L, n)-threshold access structure, we can reahze that 
H{Vi) = H{S)/L [14], and hence, ramp SS schemes are more efficient than perfect SS schemes 
[2, 14]. Furthermore, ramp schemes with general access structures are studied in [10-12]. 

Since non-forbidden sets with 1 < I < L — \ m. ramp SS schemes are allowed to leak out 
a part of a secret, it is important to analyze how the secret partially leaks out. For example, 
if a secret is a personal data that consists of name, address, job, income, bank account, etc., 
any part of the secret should not leak out explicitly. However, in the case that the security is 
measured by the conditional entropy, we cannot know whether or not some part of the secret 
can be decrypted from a non-forbidden set. Hence, Yamamoto introduced the notion of strong 
and weak ramp SS schemes [14]. A ramp SS scheme is called a strong ramp SS scheme if it does 
not leak out any part of a secret explicitly from any arbitrarily k — l shares for £ = 1, 2, . . . , L. A 
ramp SS scheme is weak if it is not strong. But, it is not given how to construct strong ramp SS 
schemes for arbitrary given general access structures although it is known for (A;, L, n)-threshold 
ramp SS schemes in [14]. 

In this paper, we discuss strong ramp SS schemes with general access structures. In section 
2, we define ramp SS schemes called partially decryptable (PD) ramp SS schemes, in which every 
non-qualified set with k — i shares can decrypt explicitly {L — t)/L parts of a secret. Then, we 
clarify the relation between PD ramp SS schemes and perfect SS schemes with plural secrets. 
We also point out that (/c, L, n)-ramp SS schemes based on Shamir's polynomial interpolation 
method are not always strong. Next, in section 3, we propose how to convert PD ramp SS 
schemes into strong ramp SS schemes by using a linear transformation, and we clarify that any 
access structure that can be realized as a weak ramp SS scheme can also be realized as a strong 
ramp SS scheme. 

2 Background and Preliminaries 

Let V = {Vi, V2, . . . , Vn} be the set of all shares, and let 2^ be the family of all the subsets of 
V. Denote a secret by an L-tuple S = {81,82, ■ ■ ■ , 8l}, and each element of S is assumed to 
be a mutually independent random variable according to the uniform distribution which takes 
values in a finite field F. We assume that |F| is sufficiently large-*^. Then, denote by H{S) and 
H{A) the entropies of the secret S and a set of shares A C V, respectively. 

For families Ae C 2^, £ = 0, 1, . . . , L, which consist of subsets of V, we define ramp SS 
schemes as follows: 

Definition 1 Let S and F^, = {Ao, Ai, . . . ,Al} be a given secret and a given access structure. 
Then, {S,V,rL} is called a ramp secret sharing (SS) scheme if every subset A E Ae satisfies 
the following for ^ = 0, 1, . . . , L. 

HiS\A) = ^HiS). (1) 

□ 

^Throughout this paper, a set of shares and a family of share sets are represented by upper case bold-face and 
calligraphic font letters, respectively. For simplicity of notation, we use AB to represent A U S for sets A and 
B, and {V} is represented as V. For example, AV = AU {V}. Furthermore, let A — B be a difference set of A 
and B, and the cardinality of a set A is denoted by 
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Equation (1) implies that secret S leaks out from any set A G Ae with the amount of 
{i/L)H{S). Especially, S can be completely decrypted from any A G Al, but any A ^ Aq 
leaks out no information of S. Hence, in the case of L = 1, ramp SS schemes reduce to 
perfect SS schemes. Without loss of generality, we can assume that Ae 7^ Ae' holds for £ ^ H! . 
Furthermore, we also assume that U£"=o ~ ^ ■ 

For example, an access structure of a (A;, L, n)-ramp SS scheme [2, 14] can be defined as 
Aq = {A ■ ^ < \A\ < k - V), Ai = {A : \A\ = k - L ^ 1} ioTi \ < I < L - \, and 
Al = {^A : k < \A\ < n\. It is shown in [10] that ramp SS schemes with general access 
structures can be constructed if and only if the following conditions are satisfied. 



Theorem 2 ([10]) A ramp SS scheme with access structure = {^Aq^A\^...^Al) can be 
constructed if a: 
following sense: 



constructed if and only if each Ai *== Ujt=^>^fe)^ = 1, 2, . . . ,L satisfies the monotonicity in the 



AeAe A' e A^ for all A' d A. (2) 

□ 

In the case of L = 1, (2) in Theorem 2 coincides with the necessary and sufficient condition 
to realize a perfect SS scheme with an access structure Fi = {.Ao,^i}, which is proved in [8] 
From Theorem 2, the minimal access structure Aj , 1= 1,2, ... ,L can be defined as follows: 

AJ = {AeAe:A-{V}^ Ae for any V G A}. (3) 

Proof of Theorem 2 ([10]): We will prove only the sufficiency of (2) because the necessity is clear. 
Let S = {Si, S2, ■ ■ ■ ,Sl} be a secret. From [8], in the case that (2) holds, we can construct 
a perfect SS scheme for the secret with the access structure f ^ =^ {2^ — Ae, Ae} for every 

def 

£ = 1,2, . . . , L. Then, let Ve = {Ve^i,Ve^2, ■ ■ ■ , Vi,n} be the set of whole shares for such a perfect 
SS scheme with access structure F^ for the secret Se- 

Now, we define Vi '= {Vi^i, V2,i, . . . , VL,i} by collecting the i-th. share of Ve, £ = 1,2, . . . , L. 
Then, it is easy to check that the share set V = {Vi, V2, • • • , Vn} realizes the ramp SS scheme 
with access structure F^ for the secret S. In this case, we can decrypt {^i, 5*2, ... , Se} from a 
share set A G Ae, although A cannot obtain any information of {Se, Se+i, ■■■ , Sl}, and hence, 
(1) is satisfied. □ 

def 

In ramp SS schemes, the coding rate of the i-th share can be defined as pi = H{Vi)/H{S). 
To realize efficient ramp SS schemes, each coding rate of a ramp SS scheme should be as small 
as possible. Furthermore, it is known that pi > 1/ L must hold for each i = 1,2, ... ,n in any 
ramp SS scheme with L-level access structure Tl [10, 14]. From this viewpoint, the ramp SS 
schemes shown in the proof of Theorem 2 are not efficient. On the contrary, Okada-Kurosawa 
[12] presented the following example of a ramp SS scheme with a general access structure, which 
is more efficient than the ramp SS scheme shown in the proof of Theorem 2. 

Example 3 ([12]) Consider the following access structure F|^ for a set of shares V = {Vi, V2, V3, 
V4}. 

Al ={{Vi,V4},{V2,V4}}, (4) 
A2={{Vi,V2,Vs}}. (5) 



Then, by letting the secret he S = {>S'i,S'2}, a ramp SS scheme for the access structure Tl^ in 
(4) and (5) can be reaHzed as 

Vi = {Ri,R3}, (6) 

V2 = {R2,R4}, (7) 

V3 = {Ri + R4 + Si,R2 + R3 + S2}, (8) 
V4 = {Ri + Si,R2 + Si}, (9) 

where Ri , R2 and R3 are mutually independent random numbers which take values in the same 
finite field F. □ 

From Example 3, it is clear that the secret S2 can be decrypted from {Vi, V4}, but any infor- 
mation of 5*1 cannot be obtained from the set. Hence, since Si and S2 are mutually independent, 
it holds that H{S\ViV4) = H{Si) = H{S)/2. In this way, if the partial information of the secret 
can be explicitly decrypted from every non-qualified set of shares, it is easy to calculate the 
amount of leaked information. Furthermore, we also note that such a ramp SS scheme can be 
considered as a special case of perfect SS schemes with L plural secrets [3,4,6]. 

In SS schemes with plural secrets, we assume that secret information is given by an L-tuple 

where S^^^ are mutually independent random variables. Then, an 
access structure for the secret S^^^ is given by r(-^) = _ ^ .,A^^^} where the secret 

can be decrypted from any set in A^^^ C 2^ for £ = 1, 2, . . . , L while no information of S^^^ 
can be obtained from any set A ^ . 

The SS schemes for L secrets with an access structure F^^) can be defined as follows: 

Definition 4 ([3])^ Let F^^^ = {A^^\ A^'^\ . . . , A^^^ be an access structure for L secrets 
denoted by S^^'^ = {S^^\ 3^"^^ . . . , S^^^ . Then, {S^^), F, F^^)} is called a SS scheme with L 
secrets if it satisfies for all £ = 1, 2, ... L that 

H{S^^'^ \A) = for any A G A^^\ (10) 

H{S^^^\A') = H{S^^y) foranyA'^^W. (11) 

□ 

From [3], Definition 4 is equivalent to the following definition. 

Definition 5 ([3]) Let F^^^ = {A^^\A^'^\ . . . ,A^^^} be an access structure for L secrets denoted 
by S'(^) = 5(2), . . . , S'(^)}. Let 5^^) C 5 be a subset of the secret that can be decrypted 

from a share set A C. V according to F^^), and we define that S^^^ = S - S^^\ Then, 
{S^^\ V,F(^)} is called a SS scheme with plural secrets S^^^ if it satisfies that 



H 



A =0, (12) 



(5(^)1 a) =i7 , (13) 

for all AOV. □ 



^In the definition of SS scliemes witli piural secrets in [3], it is assumed tliat Si, £ = 1,2, ...,L, are not 
always mutually independent. But, we can reduce the definition in [3] to Definition 4, in which Si a are mutually 
independent. 
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Based on Definition 5, we define the partially decryptable ramp SS schemes that characterize 
the ramp SS schemes shown in the proof of Theorem 2 and Example 3. 



Definition 6 Let S = {Si, S2, ■ ■ ■ , Sl} be secrets for an access structure Tl = {Ai,A2, ■ ■ ■ , Al}- 
Then, {S, V,Tl} is called a partially decryptable (PD) ramp SS scheme if there exists a part of 
the secret information Sa Q S satisfying that 

\Sa\ = i (14) 
H{Sa\A) = 0, (15) 
H {SX\A) = H (SX) , (16) 

for all A G ^(^) where 8^'^= S - Sa- □ 

Prom (15) and (16) in Definition 6, it holds that H{S\A) = H{Sa\S^A) + H(S^\A) = 
H{Sa), and hence, a PD ramp SS scheme satisfies Definition 1. 

Note that a PD ramp SS scheme can be regarded as a SS scheme with plural secrets. Con- 
versely, if a SS scheme for plural secrets S^^'^ with access structure P^^-* is given, we can construct 
a corresponding access structure of a PD ramp SS scheme for the secret S = {Si, S2, ■ ■ ■ , Sl} = 
{5(1) , 5(2) , . . . , } in the following way: Assign each share set A C "V^ to the family Ag where 
£ is given by 

{£' -.Ae A(^') G r(-^)} . (17) 

Then, the tuple of families {.4o,v4i, . . . ,Al} '= Pl can be regarded as the access structure of 
the PD ramp SS scheme. 

The difference between Definition 5 and Definition 6 is summarized as follows: In Definition 
5, from a share set A C V, we can decrypt a subset of secrets S^^\ i.e., S^^\ according to the 
access structure P^^). However, in the PD ramp SS schemes defined in Definition 6, a share set 
A e Ae decrypts some Sa which satisfies (14), i.e., Sa is not specified by the access structure 
Pl. 

We note that the amount of the leaked information about S from a share set A G Ae is 
{1/ L)H{S) in PD ramp SS schemes. Hence, in the sense of (1), there is no difference between 
Definition 1 and Definition 6. That is, both definitions guarantee the same security in the case 
that S is meaningless if some part of S is missing. However, if each part of S has explicit 
meaning, PD ramp SS schemes are not secure, and hence, not desirable. 

To overcome such defects, Yamamoto defined strong ramp SS schemes as follows [14]^: 

Definition 7 ([14]) Let S = {Si, S2, ■ ■ ■ , Sl} and P^ be a secret and an access structure, 
respectively. Then, {P/,, V, S} is called a strong ramp SS scheme if for all ^ = 0, 1, . . . , L — 1, 
A^ Ai satisfies (1) and 

H{SA ■ ■ ■ S^,_,\A) = HiSj,Sj, . . . Sj,_,) for ah {S^^Sj,, Sj,_,} C S. (18) 

□ 



In [14], strong ramp SS schemes are defined for {k, L, n)-threshold ramp access structures. 



Definition 7 implies that strong ramp SS schemes do not leak out any part of the secret 
explicitly from a non-qualified set A ^ Al- Now, from this point of view, we review the 
(fc, L, 77,) -threshold SS scheme based on Shamir's interpolation method. 

Remark 8 Wc note that the (k, L, n)-threshold ramp SS scheme, which is an extension of 
Shamir's interpolation method [13], is not always a strong ramp SS scheme. For instance, 
consider a (4, 2, n)-threshold ramp SS scheme by using the following polynomial of degree 3 over 
the finite field Z17. 

f{x) = Si + S2X + Rix^ + R2X^, (19) 

where S = {iS'i,S'2} is a secret, and Ri and R2 are independent random numbers. The i-ih. 
share is given hy Vi = f{i). Then, from a simple calculation of V3, Ve and V15, we have 

5S2 = 7V3 + 9V6 + Vi5. (20) 

This means that partial information S2 can be decrypted completely from shares V3, Ve and F15. 

We also note that from share set {Vi,V2,V3}, we have H{Si\ViV2V3) = H{Se) for ^ = 1,2, 
and hence, the ramp SS scheme in this example is neither PD nor strong^. □ 

Remark 8 shows that it is difficult to construct strong ramp SS schemes in general. In [14], 
it is proposed how to construct strong {k, L, n)-threshold ramp SS schemes, but it is not known 
how to construct strong ramp SS schemes for general access structures. 

Fortunately, PD ramp SS schemes with general access structure can easily be constructed 
if F^ satisfies monotonicity given by (2) in Theorem 2. Furthermore, it is easy to calculate how 
much information leaks out from each non-qualified set in PD ramp SS schemes. Therefore, we 
propose a method to construct strong ramp SS schemes with general access structures based on 
PD ramp SS schemes. 

3 Strong Ramp Secret Sharing Schemes with General Access 
Structures 

In this section, we propose how to construct a strong ramp SS scheme with general access 
structure F^, from a given PD ramp SS scheme with the same access structure Tl. 

Since a PD ramp SS scheme with general access structure F^, can always be constructed if 
F^, satisfies (2) in Theorem 2, we assume that a PD ramp SS scheme with access structure F^ = 
{^1,^25 ■ ■ ■ , Al} is obtained for a secret S = {Si, S2, ■ ■ ■ , Sl}. Denote by (^n, (S, R.) the encoder 
of such a PD ramp SS scheme with the access structure Fl for the secret S where R represents 
a set of random numbers used in the encoder. Then, we choose publicly an L x L non-singular 
matrix T and define a new encoder frA^', R) = (prd^'T, R) where S' = {S[, S'^,..., S'^}^. 

The next theorem gives the necessary and sufficient condition of T that realizes a strong 
ramp SS scheme with the access structure F^ for secret S' = {S[,S'2, . . . , S^}. 
*In [7], a construction method is discussed for neither PD nor strong ranip SS schemes. 

^Hereafter, for simphcity of notation, we identify the sets S = {Si, S2, ■ ■ ■ , Sl} and S' = {S'l, S^, ■ ■ ■ , S'^} with 
L-dimensional row vectors [Si 5*2 •• • Sl] and [S'l Si - ■ ■ S'l], respectively. 



Theorem 9 Suppose that the encoder i?^r(<S', R) of a PD ramp SS scheme with an access struc- 
ture for a secret S is given. Let Sa be the partial information of the secret S that can be 
decrypted explicitly from a share set A in the PD ramp SS scheme, and denote by I{A) the set 
of indices of Sa- Then, we construct a new encoder (^r^ {S',R) =^ ^r^, {S'T, R) for a new secret 
S' = {S[, S'2, . . . , S'j^} by using a publicly opened L x L non-singular matrix T. 

Then, the necessary and sufficient condition of T to realize a strong ramp SS scheme 
{S',V,Tl} is given by 

rank [T-i] L - ^ (21) 

for all A G Ae, £ = 0,1, . . . , L, where [T~^] ^(^^/jj 'J^j the submatrix that consists of the ii-th, 
i2-th, . . . , iu-th rows, and the ji-th, j2-th, . . . , ju-th columns of T~^. □ 

Remark 10 Theorem 9 implies that any strong ramp SS schemes can be obtained from the 
corresponding PD ramp SS schemes without loss of coding rates. □ 

Proof of Theorem 9: Since the matrix T is non-singular, S has one to one correspondence 
with S'. Hence, S' is also a set of L mutually independent random variables according to the 
same uniform distribution. Therefore, it holds that H{S) = H{S') = Llog |F| where F is a finite 
field in which Si, i = 1,2, ... ,L take values. 

Then, for any A G Ae, i = 1,2, ... ,L, where Ti = {Aq, Ai, ■ ■ ■ , Al} is the access structure 
of the PD ramp SS scheme, we have 

H{S'\A) = H{S\A) = ^HiS) = iL-e) log |F| = ^H{S'). (22) 

Therefore, (1) holds for secret S'. Next, from (18), we have for any {5"^^, S'j^, . . . , Sj^_^} C S' 
that 



.}-IiA 
■dL-e) 



H (5^1 A) 



^^H{Sa) = {L- i) log |F| = H{S'^^S'^^ . . . S'^^J, (23) 

where equalities (a), (b), and (c) hold because of (15), (21) and (16), respectively. 

Finally, we note that the necessity of (21) is clear since equality (b) in (23) does not hold if 
(21) is not satisfied. □ 

From the proof of Theorem 9, it is sufficient to choose the matrix T satisfying, instead of the 
condition (21), that every submatrix of has the full rank. We note that the Hilbert matrix 
Th has such a property. Each element of an L x L Hilbert matrix Th = [tij] i<i<l is given by 

l<j<L 

Uj = (24) 
where xi and yj must satisfy for all i,j € {1, 2, . . . , L} that 

Xi + Vj + 0. (25) 
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Note that every submatrix of the Hilbert matrix is also a Hilbert matrix, and the determinant 
of the matrix Th can be calculated as follows: 



n i^i-^j) n (yi-yj) 



det Th = '-'^'-"^ ^ ^ . (26) 

flflixi + yj) 

i=ij=i 

Hence, it is clear that every submatrix of Th is non-singular if and only if 

Xi 7^ Xj and 7^ yj (27) 

are satisfied for i 7^ j in addition to (25). Since |F| is usually assumed to be sufficiently large in 
ordinal ramp SS schemes, it is easy to choose {xj},^^ and {yi}^^i satisfying (25) and (27). 
Then, from Theorems 2 and 9, the following theorem holds. 

Theorem 11 A strong ramp SS scheme with access structure can be constructed if and only 
if each Ae, £ = 1,2, . . . ,L, satisfies the monotonicity given by (2) of Theorem 2. □ 

Example 12 Note that matrices satisfying (21) may exist besides the inverse of Hilbert matrices. 
As an example, in the case of L = 2 and |F| > 3, we can use the following matrix T^^, the inverse 
of which is not a Hilbert matrix. 



1 1 
1 -1 



(28) 



By using the matrix T"^^ in (28), the PD ramp SS scheme given by (6)-(9) in Example 3 can 
be transformed into a strong ramp SS scheme with access structure Tf^ given by (4) and (5) 
such that Vi = {Ri,R3}, V2 = {R2,R4}, V3 = {Ri + R4 + S[ + S'^, R2 + R3 + S[ - S'^}, and 
V4 = {Ri + S[ + S2,R2 + S[ + S2}. It is easy to check that V = {Vi, V2, V3, V4} realizes a strong 
ramp SS scheme with access structure for secret S' = {S[,S2}- 

We note here that, in the case of the access structure Fl'' in Example 3, the minimum size 
of F is 2 in order realize the PD ramp SS schemes for secret S [12], although |F| > 3 is required 
to realize a strong ramp SS schemes for S' if we use the transformation T^^ in (28). In this way, 
the minimum size of F to realize strong ramp SS schemes generally becomes larger than that 
required to realize PD ramp SS schemes. □ 

Remark 13 Note that the matrix T described in Theorem 9 is the transformation from a PD 
ramp SS scheme to a corresponding strong ramp SS scheme. However, weak but not PD ramp 
SS schemes as shown in Remark 8 cannot always be transformed into strong ramp SS schemes 
by the matrix T satisfying (21). For example, consider the (3, 2, 3)-threshold ramp SS scheme 
given by Vi = Si + R, V2 = Si + S2 + R, and V3 = R, where R is a random number [14]. Then, 
these shares realize a weak but not PD ramp SS scheme. If we transform this ramp SS scheme 
by using S = S'T^"" where T^^ is given by (28), we have Vi = S[ + S'2 + R, V2 = 2S[ + R, and 
V3 = R. It is easy to check that Vi, V2 and V3 do not realize a strong ramp SS scheme for S'. □ 
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